Virtually every major browser and operating system were targets at this week's "Pwn2Own" hacking contest, with Apple Safari, Mozilla Firefox, and Internet Explorer 8 vulnerabilities exploited, along with flaws in the iPhone OS.

On the first day of the competition based in Vancouver, British Columbia, Canada, researchers found a way to take advantage of Apple's Safari browser in Mac OS X 10.6 Snow Leopard, its latest operating system, according to CNet.

Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine. He's the same researcher who cracked Safari in Mac OS X last year, taking home the $5,000 prize. He also hacked a MacBook Air in 2008 at the competition.

Miller has also repeatedly said that he believes Macs are a safer alternative to Windows PCs for average users. He cited the lack of malware on the Mac platform as the principal reason for his recommendation.

Last year Miller also discovered an SMS hack in the iPhone that Apple quickly patched after it was made public. But researchers at this year's Pwn2Own found yet another SMS hack to take home a $15,000 prize.

Ralf-Phillip Weinmann, from the University of Luxembourg, and Vincenzo Iozzo, from German company gained access to an iPhone that was not "jailbroken," a procedure that allows users to run unauthorized code and unlock the handset for use on unapproved carriers.

By making a user visit a malicious Web site, the exploit allowed the researchers to access the phone's entire database of text messages, including deleted ones. The two wrote the hack in about two weeks, and the data was received in the competition in under 20 seconds.

The two said the hack could be modified to allow access to more data, such as contacts and photos. The transfer takes place without the victim ever knowing they have been hacked.

By accepting prizes at the Pwn2Own competition, put on by TippingPoint, the exploited methods are revealed only to the affected company so that they can patch the exploits.

Also hacked in this year's competition was Microsoft's Internet Explorer 8 browser. Peter Vreugdenhill, an independent security researcher from the Netherlands, took home a $10,000 prize by taking advantage of two vulnerabilities for a four-part hack that compromised the user's system.

Another person who went solely by Nils, the head of research MWR InfoSecurity in the U.K., discovered an exploit in Firefox in the 64-bit version of Windows 7. He took home a $10,000 prize.

It happens every year. it doesn't mean any more than it did the first time.

What counts is what's actually in the wild.

Hackers in these contests pick Apple products to attack first in order to maximize publicity. The fact that hacking a Mac is so popular at these events, combined with the fact that zero self-propagating viruses have ever successfully attacked OS X users in the wild in over 9 years speaks volumes.

Problem is that this isn't really a true test of how easy it is to hack a Mac. I mean it took them two weeks prior to develop the exploits. NONE of the Mac hacks were done on the spot and some of the hacks won't work anyway because the latest patches fixed that.

No, what would be a true test would be if no one was allowed to bring anything, were not allowed to access a machine for a month prior to the contest, and then perform hacks onsite only. That would be a true test.

The hackers don't really pick the Mac. The contest is fair. They draw positions. The organizers decide which devices go in what order. They don't just pick macs either. Firefox on Win 7, Explorer on Win 7, and Chrome on win 7 are also in the contest.

The hackers don't really pick the Mac. The contest is fair. They draw positions. The organizers decide which devices go in what order. They don't just pick macs either. Firefox on Win 7, Explorer on Win 7, and Chrome on win 7 are also in the contest.

Well obviously then the organizers had it in for Apple. They chose Apple products to go first and be hacked by the best hackers. They probably even had keyloggers pre-installed.

It happens every year. it doesn't mean any more than it did the first time.

What counts is what's actually in the wild.

Hackers in these contests pick Apple products to attack first in order to maximize publicity. The fact that hacking a Mac is so popular at these events, combined with the fact that zero self-propagating viruses have ever successfully attacked OS X users in the wild in over 9 years speaks volumes.

That is not entirely correct... the hack them becuse they are low hanguing fruit. The Mac as been the first computer hacked 3 years in row so far. But this was the firstime the iPhone was compromised. This will happen more an more as Apple gains market share. This is the #1 reason Macs are slow to dent the business world.....

Tallest Skil:

"Eventually Google will have their Afghanistan with Oracle and collapse" "The future is Apple, Google, and a third company that hasn't yet been created."

Problem is that this isn't really a true test of how easy it is to hack a Mac. I mean it took them two weeks prior to develop the exploits. NONE of the Mac hacks were done on the spot and some of the hacks won't work anyway because the latest patches fixed that.

No, what would be a true test would be if no one was allowed to bring anything, were not allowed to access a machine for a month prior to the contest, and then perform hacks onsite only. That would be a true test.

A true test of what exactly? The point of this is that it can be hacked; not how long it takes. The event is called pwn2own, not pwnfast2own.

This is one of those things in life that are both relevant and pointless at the same time. It's great to see attention put toward making our computers safer by way of competition, but the exploits seem mostly to be important to a very select few people

Spending two weeks to write code that could extract my SMS history is noteworthy, and could be pushed to a lot of hacked sites but without getting root access very few are going to care. I am curious how any webcode can call other services on the iPhone and hope Apple does a better job sandboxing the iPhone's browser, but I won't lose sleep over it if they don't.

Quote:

Originally Posted by mstone

Chrome is next up. Hasn't been hacked because it is on today's agenda. The other were yesterday.

Have the other handsets gone yet?

Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"

Macs are more secure by a combination of superior security architecture (vs. MS) ...

That's not true anymore since Vista. It's even the other way around since the "Secure Development Lifecycle" initiative. But IE was created before this started so that's why IE should be "cleaned" from the ground up.

In this case, one of the rules of the competition is that you don't release the exploit publicly. The details of the exploit are given to the organizers who in turn give them to the manufacturers so they can correct the vulnerability.

It is actually a good thing. The publicity generated by the event puts pressure on the manufacturers to act.

That is not entirely correct... the hack them becuse they are low hanguing fruit. The Mac as been the first computer hacked 3 years in row so far. But this was the firstime the iPhone was compromised. This will happen more an more as Apple gains market share. This is the #1 reason Macs are slow to dent the business world.....

Please think before you post on a forum like this. What you say here is not only inaccurate, it's almost verbatim what the "contest" organisers would like you to believe in defiance of the facts.

It's a contest that professes to determine the very things you think it does, but in fact is completely rigged in terms of what hacks are attempted, who goes first, and what kind of access they get. The one thing this contest cannot ascertain, is which of the various computer systems or browsers are more vulnerable. This inability is designed right into the structure of the event.

The danger is that people like you reading accounts of the contest, assume that the first browser or OS to be compromised is the most insecure. This is why many serious security specialists don't participate in the contest. It directly misleads the public into thinking that the results actually man anything in the real world.

Please think before you post on a forum like this. What you say here is not only inaccurate, it's almost verbatim what the "contest" organisers would like you to believe in defiance of the facts.

It's a contest that professes to determine the very things you think it does, but in fact is completely rigged in terms of what hacks are attempted, who goes first, and what kind of access they get. The one thing this contest cannot ascertain, is which of the various computer systems or browsers are more vulnerable. This inability is designed right into the structure of the event.

The danger is that people like you reading accounts of the contest, assume that the first browser or OS to be compromised is the most insecure. This is why many serious security specialists don't participate in the contest. It directly misleads the public into thinking that the results actually man anything in the real world.

You should think first then post......
Everything I wrote was acurrate. Don't attack me persoanlly...we can disagree but quit the personal attack.........
I work for a fortune 100 company. We are testing 200 iPhones in our highly regulated extremely audited corporate environment. They have so many limitations in the business world concerning security and administration it is not even worth comparing to other solutions. We have 2000 Macs in our Media Departments that are segmented because of the vulerabilities from the rest of the corpoate network. Mac OSX is not as secure as you think it is just because you like your Mac and think it is cool. You can cite that there are no viruses in the wild for the Mac platform but you are kidding yourself. The can be compromised as easily or more easily than anyother system. This is fact.....
I am an Apple fan. I have Macs at home AND I have an iPhone and I will buy 2 iPads for my wife and my teenage son. But I also know their limitations. Alos I am NOT an Apple hater just becuse I disagree with you. Look up my posts and threads and you will see I don't post negative Apple stuff here.........

Tallest Skil:

"Eventually Google will have their Afghanistan with Oracle and collapse" "The future is Apple, Google, and a third company that hasn't yet been created."

That is not entirely correct... the hack them becuse they are low hanguing fruit. The Mac as been the first computer hacked 3 years in row so far. But this was the firstime the iPhone was compromised. This will happen more an more as Apple gains market share. This is the #1 reason Macs are slow to dent the business world.....

Can you explain what you mean by "first"?
Do they line up every device, and every OS, for each contestant, and then say "GO!"
And the first device / system to fall is the first to fall (ie, the weakest).
Most headline I read about this contest seem to suggest that OS X was hacked; and that the others are still being worked on, and not yet successfully hacked.
But I have no idea how the competition is actually setup.
Is Charlie Miller unable to hack a Windows machine?

I mean; if they do Safari hacks on day 1, and Internet Explorer isn't up for hacking till day 3, one wouldn't say, "Oooh burn!; Safari was hacked right on the first day!! Internet Explorer is still standing!"

Can you explain what you mean by "first"?
Do they line up every device, and every OS, for each contestant, and then say "GO!"
And the first device / system to fall is the first to fall (ie, the weakest).
Most headline I read about this contest seem to suggest that OS X was hacked; and that the others are still being worked on, and not yet successfully hacked.
But I have no idea how the competition is actually setup.
Is Charlie Miller unable to hack a Windows machine?

I mean; if they do Safari hacks on day 1, and Internet Explorer isn't up for hacking till day 3, one wouldn't say, "Oooh burn!; Safari was hacked right on the first day!! Internet Explorer is still standing!"

I'm sure I'm missing something here.

They setup the fully patched machines and then the hackers try to compromise the machines. The Mac was compromised first for...I think 3 years in a row.......
All of this can be found if you Google Pwn2Own. Here is one link to tons of stuff concerning this subject...don't take my word for it read it for yourself..http://www.computerworld.com/s/artic...?taxonomyId=17

Tallest Skil:

"Eventually Google will have their Afghanistan with Oracle and collapse" "The future is Apple, Google, and a third company that hasn't yet been created."

They setup the fully patched machines and then the hackers try to compromise the machines. The Mac was compromised first for...I think 3 years in a row.......
All of this can be found if you Google Pwn2Own. Here is one link to tons of stuff concerning this subject...don't take my word for it read it for yourself..http://www.computerworld.com/s/artic...?taxonomyId=17

That magazine caters to the windows world, nothing said in that article can be construed as fact, its mostly FUD.

Well obviously then the organizers had it in for Apple. They chose Apple products to go first and be hacked by the best hackers. They probably even had keyloggers pre-installed.

Okay lets be a little adult about this...

The went 'after' Apple because it has the best 'in the wild' track record when it comes to security AND Apple has no quams about boasting that fact.

Going after ANY Microsoft product?!?! Perhaps a project that the 'preschoolers' might find mildly challenging but if you notice nobody gets too much 'street cred' for boasting their latest attack on Microsoft... UNLESS perhaps the OS was just release or 'newly patched' to be 'even more secure!'

Linux is so open its not even worth talking about... It's like bragging you stole a boat load of cash when in fact you simply took a few pennies form the 'need a penny' container at the 7-11.

So yes.. the SUPER SPOTLIGHT is clearly shown on hackers who tackle Apple products and ... rightfully so...

BUT as others have already pointed out... this crap is done EVERY YEAR but these folks and yes somehow another year ticks by without an significant* virus, worm or trojan making assaults OS X based systems or devices.

* I used 'significant' simply because I couldn't with a 100% certainty say nobody on a Mac based system was ever attacked or infected by a virus in the past year while running its native OS (OS X and/or iPhone OS) not dual booting or virtual machines running alternate OS... That kinda crap clearly wouldn't count!

The went 'after' Apple because it has the best 'in the wild' track record when it comes to security AND Apple has no quams about boasting that fact.

Going after ANY Microsoft product?!?! Perhaps a project that the 'preschoolers' might find mildly challenging but if you notice nobody gets too much 'street cred' for boasting their latest attack on Microsoft... UNLESS perhaps the OS was just release or 'newly patched' to be 'even more secure!'

Linux is so open its not even worth talking about... It's like bragging you stole a boat load of cash when in fact you simply took a few pennies form the 'need a penny' container at the 7-11.

So yes.. the SUPER SPOTLIGHT is clearly shown on hackers who tackle Apple products and ... rightfully so...

BUT as others have already pointed out... this crap is done EVERY YEAR but these folks and yes somehow another year ticks by without an significant* virus, worm or trojan making assaults OS X based systems or devices.

* I used 'significant' simply because I couldn't with a 100% certainty say nobody on a Mac based system was ever attacked or infected by a virus in the past year while running its native OS (OS X and/or iPhone OS) not dual booting or virtual machines running alternate OS... That kinda crap clearly wouldn't count!

Most of what you wrote was correct except...that the Mac was compromised first based on the amount of time it took to compromise the system. If i remember right the Ubuntu system was not compromised or was compromised last....... But for 3 years in a row the Mac was compromised first....and NOT by a vurus but by malicious coded websites via Safari. The exploits the last 2 years were well known and reported to Apple but were not patched. Last year the Mac was compromised in 2 minutes......

Tallest Skil:

"Eventually Google will have their Afghanistan with Oracle and collapse" "The future is Apple, Google, and a third company that hasn't yet been created."

The went 'after' Apple because it has the best 'in the wild' track record when it comes to security AND Apple has no quams about boasting that fact.

I think there is a lot of misinformation in this thread. Please do a little research. I know there is not a lot of info available for this year's contest. There is no blow by blow account like an Apple Keynote, but this is sort of how it works:

Security researchers register for the contest. They are prepared in advance for a certain exploit on a certain platform. They pick random time slots out of a hat. It just so happens that the iPhone slot was chosen first by a certain group this year. That is not to say that there weren't other groups who also had a prepared exploit against a certain device but didn't get a chance because there is only one prize per platform/browser.

The person who was registered to hack the Nokia went missing in action so no result for that device. Also it appears that there was no registered party for the Chrome platform so it went untested as well.